Schemas

Included indexes

Schemas for all indexes

rule.fields_normalized

This field has the same values as rule.fields however, the values are normalized by:

  • switching from camelCase to snake_case
  • replacing _ with .
  • replacing junctions of camelCase words with .
  • lower cased

The purpose of this is to standardize comparisons across the disparate rule sets. This format is based on the Elastic ECS format.

Example event in elasticsearch

{
  "rule.techniques": [
    "T1543",
    "T1556"
  ],
  "rule.logic": "event.category:file and event.type:change and\n  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n  process.executable:\n    (* and\n      not\n      (\n        /usr/libexec/packagekitd or\n        /usr/bin/vim or\n        /usr/libexec/xpcproxy or\n        /usr/bin/bsdtar or\n        /usr/local/bin/brew or\n        \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n      )\n    ) and\n  not file.path:\n         (\n           /tmp/snap.rootfs_*/pam_*.so or\n           /tmp/newroot/lib/*/pam_*.so or\n           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n           /tmp/newroot/usr/lib64/security/pam_*.so\n         ) and\n  not process.name:\n         (\n           yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or\n           dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or\n           systemd or containerd or pacman\n         )\n",
  "rule.logic_hash": "1c31a5310f0b2617c31b24c996492633e413a7dddb4571b2d7900ee6605bf99c",
  "rule.fields": [
    "event.type",
    "process.executable",
    "process.name",
    "file.path",
    "event.category",
    "file.name"
  ],
  "rule.fields_normalized": [
    "event.category",
    "event.type",
    "file.name",
    "file.path",
    "process.executable",
    "process.name"
  ],
  "rule.references": [
    "https://github.com/zephrax/linux-pam-backdoor",
    "https://github.com/eurialo/pambd",
    "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
    "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"
  ],
  "rule.false_positives": [
    "trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes."
  ],
  "rule.link": "https://github.com/elastic/detection-rules/blob/da8f3e48806300ea7384bad8bdf75a1d2750c5b2/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml",
  "status": "unchanged",
  "rule.sha": "da8f3e48806300ea7384bad8bdf75a1d2750c5b2",
  "rule.author": "elastic_siem",
  "rule.category": [
    "cross-platform"
  ],
  "rule.description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process\nor modifying the login configuration to allow unauthorized access or elevate privileges.\n",
  "rule.id": "93f47b6f-5728-4004-ba00-625083b3dcb0",
  "rule.license": "elastic license 2.0",
  "rule.name": "Modification of Standard Authentication Module or Configuration",
  "rule.ruleset": [
    "cross-platform"
  ],
  "rule.uuid": "93f47b6f-5728-4004-ba00-625083b3dcb0",
  "updated_at": "2024-06-22T23:11:34.444Z"
}

Additional fields for rule-alerts schema

The following additional fields are present within the rule-alerts index:

Example:

{
  "new_terms": [
    "entry.exists",
    "entry.trusted",
    "process.thread.ext.call.stack.final.user.module.code.signature"
  ],
  "new_terms_description": "new detection logic fields by author detected over last 30d"
}

The four types of new terms are:

  • new detection logic fields detected over last 30d
  • new detection logic fields by author detected over last 30d
  • new techniques detected over last 30d
  • new techniques by author detected over last 30d

© A project by @br0k3ns0und | br0k3nlab